Stats
Actions
Tags
From cybersecurity-skills
Guides security incident triage and initial response following NIST SP 800-61. Use for breaches, malware, or suspicious activity.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:incident-triageThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Guide rapid triage and initial response to security incidents. Follow NIST SP 800-61 methodology.
Guide rapid triage and initial response to security incidents. Follow NIST SP 800-61 methodology.
Cross-references: siem-detection for the rules that produced the alert this triage is responding to, disk-forensics for deeper disk and memory analysis once a host is contained, breach-patterns for the post-incident pattern extraction that hardens against recurrence, soc-operations for the operational layer above this skill (runbooks, escalation, handoff), security-comms for the stakeholder / customer notifications the response generates, privacy-engineering / hipaa-audit / pci-audit for the regulatory-clock determination when personal data, PHI, or cardholder data is involved, ai-risk-management for AI-specific incident classes (model failure, fairness drift, jailbreak exploitation in production).
Determine incident type:
Determine severity:
Based on type and severity:
Critical: Do NOT power off systems. Volatile memory contains evidence.
Capture in order of volatility (most volatile first):
# 1. Running processes
ps auxf # Linux
tasklist /v # Windows
# 2. Network connections
ss -tupn # Linux
netstat -anob # Windows
# 3. Logged-in users
who -a # Linux
query user # Windows
# 4. Open files
lsof -nP # Linux
# 5. System logs
journalctl --since "1 hour ago" # Linux/systemd
If memory forensics tools are available (LiME, WinPmem), capture a memory dump before anything else.
For each suspicious indicator, document:
Common analysis:
Extract and document all indicators of compromise:
| Type | Examples |
|---|---|
| IP addresses | Source and destination IPs |
| Domains | C2 domains, phishing domains |
| File hashes | MD5 and SHA256 of suspicious files |
| File paths | Malware locations, dropped files |
| Email addresses | Phishing sender addresses |
| URLs | Malicious URLs, C2 endpoints |
| User agents | Unusual or known-malicious user agents |
# Incident Triage Report
## Incident ID: [ID]
## Date/Time: [UTC]
## Severity: [Critical/High/Medium/Low]
## Classification: [incident type]
## Status: [Triage/Contained/Analyzing/Resolved]
### Summary
[2-3 sentence overview]
### Affected Systems
| Hostname | IP | Role | Status |
|----------|-----|------|--------|
### Timeline
| Time (UTC) | Event | Source | Notes |
|------------|-------|--------|-------|
### Indicators of Compromise
| Type | Value | Context | Confidence |
|------|-------|---------|------------|
### Containment Actions Taken
- [ ] [Action and result]
### Evidence Preserved
| Type | Location | Hash | Notes |
|------|----------|------|-------|
### Recommended Next Steps
1. [Immediate priority]
2. [Short-term action]
3. [Follow-up investigation]
### Escalation Checklist
- [ ] Management notified
- [ ] Legal notified (if data breach)
- [ ] Law enforcement (if applicable)
- [ ] Affected parties notified (if data breach)
npx claudepluginhub briiirussell/cybersecurity-skills --plugin cybersecurity-skillsGuides NIST SP 800-61 incident response: classify breaches, preserve evidence, analyze logs with Bash tools, contain threats, investigate IOCs, eradicate malware, recover systems.
Performs initial triage of security incidents using NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, severity, and business impact, then routes to response teams.
Triages security incidents using NIST SP 800-61r3 and SANS PICERL frameworks to classify type, determine severity and scope, prioritize by business impact, and route to response teams. For SIEM/EDR alerts and user reports.